Whether you admin Exchange, Sendmail, MailEnable, Lotus Notes, or any other Internet email system, there are certain things that all these systems have in common. There are certain configurations that must be supported, and others that must not be, which newly live systems often miss. Whether you are an experienced admin, or  relatively new to the world of email, the seven deadly sins of mail server misconfiguration can pop up and bite you. Take heed, and check your systems to ensure you are good to go. Failing to do so can result in very bad things, like being added to DNS Blacklists.

1. Open Relay

Let’s get the worst of the lot out of the way up front. The SMTP protocol was designed to get mail to the destination address. SMTP servers like to relay. Being an open relay not only enables spammers to use your system to distribute their noise, it is the shortest path between point A and point B, where B stands for BANNED FROM SENDING EMAIL. Use one of the open relay tests discussed here to ensure that your system is not configured as an open relay. Do this within the first 10 seconds after opening TCP 25 on the firewall, because it will only be a matter of minutes before spammers scanning for relays try to abuse your system.

2. Plain-text Authentication

For every strong password policy, there is someone who allows plain-text authentication. Practically every mail system on the market that supports client protocols (POP3, IMAP) supports the encrypted versions using TLS (POPS, IMAPS.) Ensure that the product you have chosen supports the TLS protocols, disable the plaintext versions and only allow encrypted authentication to further protect the integrity of your users credentials.

3. DNS errors

Email systems require more records in DNS than any other system, largely because of the number of spammers out there spoofing addresses or running scripts from home machines. Make sure that your email systems have valid A (and CNAME if relevant) records, and also the required MX records for all systems (even outbound only MTAs,) PTR records, and SPF records. If you do not control your in-addr.arpa zone, contact your ISP to add the appropriate PTR records for your mailservers, and see this article on setting up SPF records.

4. Banner information disclosure

Using complex fingerprinting techniques, many email systems can be identified, but it requires skill and patience to do so. Most bad guys out there either use automated scanners to grab banners, or just telnet to TCP 25 and read the response to a HELO packet. Reconfigure all Internet accessible email servers to use a custom banner that does not reveal the version of mail server, or any internal names or ip.addrs. You can indulge your creative side when you do this!

5. RFC 2142 names

Folks, the RFCs are the rules of the road, where the road means the information superhighway we all use. RFC2142 defines certain mailboxes that must be supported on a domain, including POSTMASTER and ABUSE. Both of these are relevant to our interests, as the POSTMASTER address is intended to represent the person(s) responsible for an email system for the domain, and the ABUSE address is where to submit complaints about inappropriate activities, like spamming. Sure, both will get a TON of spam, but you need to set them up anyway, and then check them regularly for legitimate mails from other sysadmins.

6. Not scanning inbound and outbound mail

While it is critical to scan all incoming mail for malware, phishing attempts, and other inappropriate content, it is just as important that you scan outgoing mail to ensure that your users are not leaking state secrets, abusing your corporate email for their own gain, or <gasp> sending out emails as the result of some malware. Ensure that your company has an Acceptable Use Policy, attach a standard corporate disclaimer to all outbound mails, and scan to ensure that prohibited information like customer NPI, or infected attachments are not included in outbound mail. It’s called acting responsibly, and being a good Internet citizen.

7. Not setting reasonable limits

While you may have terabytes of storage, and an OC-48 connection, not everyone else does. Set a reasonable limit on attachment sizes, the number of addressees an outbound email can target, and the rate at which outbound emails can be sent. You do not want your company perceived as a bulk sender, and you don’t want to overwhelm an email system when someone in marketing tries to send the print-ready PDF that is 112MB to all 30 of the contacts at the customer’s business, when they should have saved it as Internet publish ready so it would come in at 867KB and mailed a link so they could download it at their convenience.

While there are plenty of other things that you need to pay attention to (storage, backups, connectivity to name a few) avoiding these seven deadly sins will go a long way towards making your email efforts successful, and help avoid the sorts of things that we like to call career-limiting events.